Required Specification

The HIPAA Security Rule, or the security standards for the protection of healthcare data as it is otherwise known, provides a set of regulations aimed at ensuring the protection of patients’ health information stored or transmitted in electronic form (ePHI). As an extension to the protections outlined in the HIPAA Privacy Rule, the Security Rule was intentionally designed to be flexible enough to accommodate the structure and size of any Covered Entity (CE), as well as, advancements in technology and evolving cybersecurity threats.

With the rapid adoption of new technology in the healthcare industry, it is more important than ever for CEs and Business Associates (BAs) today to understand an essential part of the rule, the difference between addressable and required implementation specifications.

What is a Required Specification?

All CEs must comply with every “Standard” set forth in the Security Rule. There are two implementation specifications that fall under those standards – some required and some addressable.

Compliance with required specifications in HIPAA’s Security Rule is mandatory. An example of a required specification is the risk analysis that must be conducted, even by small providers, in accordance with Section 164.308(a)(1). Another example of a required specification is that a “unique user identification” is required to access ePHI. No questions, no discussion. These things are expected and required.

What is an Addressable Provision?

Unlike required specifications, rules classified as addressable provisions are slightly different and provide a bit more flexibility. Addressable provisions, however, are not optional. CEs and BAs must fully understand this. They must also understand the difference between and the nuances of both required and addressable provisions, in order to remain in compliance.

According to the Security Rule, “The concept of ‘addressable implementation specifications’ was developed to provide covered entities additional flexibility with respect to compliance with the security standards.” This means CEs and BAs can approach specifications defined as addressable from an assessment, rather than mandated perspective, in order to determine whether the rule is appropriate and reasonable given their environment. In short, addressable provisions cover more of what needs to get done instead of how CEs are supposed to do it.

CEs have two choices after performing an assessment of the validity of the addressable provision within their organization: They can implement the specification without any modifications, or they can implement an equal, yet alternative, solution that also meets with compliance.

Conversely, the CE can determine that equivalent measures are not reasonable and appropriate. (Note that technical infrastructure, resources, and cost are all factors that can be used to determine how reasonable or appropriate a solution is for an individual company.) Bear in mind, CEs and BAs must provide documentation for all phases throughout the assessment and decision-making process. This is a critical operational function.

As an example, according to the Security Rule, while encryption for data in transit is required, encryption for data at rest is addressable. However, that does not mean that entities can tread lightly when it comes to encrypting. If encryption is found to be reasonable and appropriate and, especially given today’s increasing number of access points to information, CEs should consider expanding encryption beyond ePHI into privileges and passwords.

What are the Ramifications of Being Non-Compliant?

The Department of Health and Human Services (HHS) provides education and training for CEs to make it easier for them to stay compliant with the Security Rule. As more technologies evolve though (take mobile for example), so do the threats to information stored digitally. Healthcare data has become more sought after than financial data, and one in three Americans suffered a breach in their healthcare information last year alone.

Entities that violate the Security Rule can face civil or even criminal penalties for noncompliance. Fines for civil penalties range from $25,000 to $1.5 million per calendar year, and criminal penalties range from $50,000 plus one year of jail time to $250,000 plus ten-years’ incarceration.

Large breaches as a result of non-compliance also take more than a monetary toll on entities. In an industry where trustworthiness and professionalism reign supreme, failing to protect patient data in such a public way can severely damage a company’s reputation and, as a result, its bottom line.

The Takeaway

Compliance is always necessary. It is especially relevant today, as organizations prepare for HIPAA audits. Although only about 300 provider organizations across the country will be audited, it is important for entities to prepare by conducting internal risk assessments, updating breach policies, and ensuring all written documentation is completed accurately.

When in doubt, companies should act rather than debate what is addressable or required. After all is said and done, HIPAA’s security standards only set a baseline. Doing more to protect ePHI and business interests is always better than doing less. When it comes to the systems and processes you have in place to protect ePHI, how does your business stack up? Are you ready for an audit?

Never Worry about Falling Out of Compliance with LightEdge

LightEdge has HIPAA secure data center locations at our Des MoinesKansas CityOmaha, Austin, and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.

LightEdge offers a free risk assessment from our Chief Security Officer as an added expert resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:

If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.

If you want to learn more about HIPAA compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.


Related Posts

director of compliance
Michael Hannan

Michael has eleven years of information systems, IT, consulting, and compliance experience. His expertise includes identifying and implementing general IT systems, applications, and business controls in conjunction with external compliance audits.

Michael is currently the Director of Compliance at LightEdge, helping to establish, maintain and, enforce the information security policies and procedures that keep LightEdge customers protected at all times.